To: 


Of: 


ICO. 


Information Commissioner's Office 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


Home Sure Solutions Ltd 


Unit E10a & 10b Knoll Business Centre, 
325-327 Old Shoreham Road, 

Hove, 

England, 

BN3 7GS 


The Information Commissioner (“the Commissioner”) has decided to 
issue Home Sure Solutions Ltd (“HSSL”) with a monetary penalty under 
section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in 
relation to a serious contravention of regulation 21 of the Privacy and 
Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 


This notice explains the Commissioner’s decision. 


Legal framework 


HSSL, whose registered office is given above (Companies House 
Registration Number: 11389563) is the organisation stated in this 
notice to have used a public electronic communications service for the 
purpose of making unsolicited calls for the purposes of direct marketing 


contrary to regulation 21 of PECR. 
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Regulation 21 applies to the making of unsolicited calls for direct 
marketing purposes. It means that if a company wants to make calls 
promoting a product or service to an individual who has a telephone 
number which is registered with the Telephone Preference Service Ltd 


(“TPS”), then that individual must have notified the company that they 


do not object to receiving such calls from it. 
Regulation 21 paragraph (1) of PECR provides that: 


"(1) A person shall neither use, nor instigate the use of, a public 
electronic communications service for the purposes of making 


unsolicited calls for direct marketing purposes where- 


(a) the called line is that of a subscriber who has previously 
notified the caller that such calls should not for the time being 


be made on that line; or 


(b) the number allocated to a subscriber in respect of the called 


line is one listed in the register kept under regulation 26.” 
Regulation 21 paragraphs (2), (3), (4) and (5) provide that: 


"(2) A subscriber shall not permit his line to be used in contravention 


of paragraph (1). 


(3) A person shall not be held to have contravened paragraph (1)(b) 
where the number allocated to the called line has been listed on the 
register for less than 28 days preceding that on which the call is 


made. 
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(4) Where a subscriber who has caused a number allocated to a line of 
his to be listed in the register kept under regulation 26 has notified 
a caller that he does not, for the time being, object to such calls 
being made on that line by that caller, such calls may be made by 


that caller on that line, notwithstanding that the number allocated 


to that line is listed in the said register. 


(5) Where a subscriber has given a caller notification pursuant to 


paragraph (4) in relation to a line of his— 


(a) the subscriber shall be free to withdraw that notification at 
any time, and 
(b) where such notification is withdrawn, the caller shall not 


make such calls on that line.” 


Under regulation 26 of PECR, the Commissioner is required to maintain 
a register of numbers allocated to subscribers who have notified them 
that they do not wish, for the time being, to receive unsolicited calls for 
direct marketing purposes on those lines. The Telephone Preference 
Service Limited (“TPS”) is a limited company which operates the 
register on the Commissioner’s behalf. Businesses who wish to carry 
out direct marketing by telephone can subscribe to the TPS for a fee 


and receive from them monthly a list of numbers on that register. 


Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines 
direct marketing as “the communication (by whatever means) of 
advertising or marketing material which is directed to particular 
individuals”. This definition also applies for the purposes of PECR (see 
regulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of 
the DPA18). 
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“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 


A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 
a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


Section 55A of the DPA (as applied to PECR cases by Schedule 1 to 


PECR, as variously amended) states: 


"(1) The Commissioner may serve a person with a monetary penalty if 
the Commissioner is satisfied that - 


(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC 


Directive) Regulations 2003 by the person, 
(b) subsection (2) or (3) applies. 
(2) This subsection applies if the contravention was deliberate. 


(3) This subsection applies if the person - 
(a) knew or ought to have known that there was a risk that 
the contravention would occur, but 
(b) failed to take reasonable steps to prevent the 


contravention. 


The Commissioner has issued statutory guidance under section 55C (1) 
of the DPA about the issuing of monetary penalties that has been 
published on the ICO’s website. The Data Protection (Monetary 
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe 
that the amount of any penalty determined by the Commissioner must 
not exceed £500,000. 
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PECR were enacted to protect the individual’s fundamental right to 

privacy in the electronic communications sector. PECR were 

subsequently amended and strengthened. The Commissioner will 

interpret PECR in a way which is consistent with the Regulations’ 


overall aim of ensuring high levels of protection for individuals’ privacy 


rights. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the DPA18: see paragraph 58(1) of 
Schedule 20 to the DPA18. 


Background to the case 


HSSL first came to the attention of the Commissioner in September 
2020 following a number of complaints about unsolicited direct 
marketing calls relating to home emergency cover (i.e. white goods 
warranties, maintenance, and insurance services) from a particular 
Calling Line Identity (“CLI”). 


The Commissioner issued a third-party information notice (“3PIN”) to 
the relevant communications service provider, © trading as 

, who confirmed in response that the CLI in question was 
allocated to HSSL. E proceeded to provide details of other CLIs also 
allocated to HSSL’s account between 1 July 2020 and 17 September 
2020, and provided records of the outbound calls made from those 
CLIs during that time. Using this information, the Commissioner was 
able to identify six complaints arising from the CLIs attributed to HSSL 
between 1 July 2020 and 17 September 2020, together with a number 
of complaints which referred expressly to HSSL by name from the 


same CLIs falling outside of this prescribed period. 
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The Commissioner also carried out a provisional screening exercise of 
HSSL’s Call Dialler Records (“CDR”s) over the prescribed period, as 
provided by | | against the TPS register. Results showed that there 
were 114,285 calls made to subscribers, of which 71,736 were made to 


telephone numbers which had been registered with the TPS for not less 
than 28 days. 


Concerned that HSSL’s practices may be in contravention of PECR, the 
Commissioner sent an initial investigation letter to HSSL on 15 
December 2020 requesting inter alia information as to HSSL’s direct 


marketing activity. 


The Commissioner received no response to this letter, or to the chaser 


letter which was sent on 12 January 2021. 


The Commissioner therefore proceeded to serve an Information Notice 
on HSSL on 26 January 2021 requesting information deemed necessary 
for the purposes of determining HSSL’s compliance with data protection 
legislation. The information requested included the volume of calls 
made by HSSL between 1 March 2020 to 30 September 2020, and the 
number of those calls which connected with a subscriber; evidence that 
subscribers did not object to the receiving calls in relation to the 
complaints which had been received by the Commissioner/TPS in 
relation to HSSL’s direct marketing activity; and confirmation of any 


TPS screening carried out by the organisation. 


HSSL provided a substantive response on 1 March 2021, and 
apologised for the delay in providing the requested information. Within 
its response it was confirmed that HSSL does not obtain data directly 


from individuals, rather it obtains it from a third party named as a> 
ME (which is understood to be a trading name of ‘S 
= (the “third-party data provider”). In addition it was 
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confirmed that HSSL does not hold specific consent for the calls made; 
it relies on the third-party data provider to hold this. Furthermore, it 
stated that it does not screen data against the TPS register, however it 
requests that its third-party data provider screens the data prior to 
purchase. HSSL provided some screenshots of emails between itself 


and its third-party data provider from February 2020 regarding the 


purchase of data and TPS checks. 


The Commissioner sent some follow-up queries to HSSL later that day 

requesting evidence of the ‘consent statements’ provided to individuals 
when their data was collected; evidence of any due diligence conducted 
with respect to the third-party data provider; and a copy of its contract 


with the third-party data provider. 


HSSL responded that day to reiterate that, as it does not collect the 
data from individuals directly, it does not have copies of the ‘consent 
statements’. It also confirmed that it does not have a contract with its 
third-party data provider, but made reference to its earlier response to 
the Commissioner where it had included screenshots of various email 
exchanges with that third-party data provider as purported evidence of 
due diligence. Within one of those email screenshots its third-party 
data provider provided prices for data which met HSSL’s criteria (UK 
Homeowners; aged 60+; landline numbers), stating “AII Telephone 
Numbers will be TPS and Live Number checked on the day of output”; 
this screenshot is undated so it is not clear when these prices were 
provided to HSSL. Another screenshot dated 5 February 2020 
contained text from the third-party data provider stating that 
“Consumers opt in, predominantly from online transactions. This could 
be from | or anywhere else you can think of. It’s common for 
consumers to be adamant that they have never opted in but when 
checks are made low and behold they did. They just don’t recall it. If 
you get anyone causing you problems relating to this, get the 
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consumer to email E This is then sent 


directly by us to the source of the data, who then deal with the 
consumer directly. We do not get involved, and neither should you. [...] 
We do not take calls on this matter, because we simply do not know 


the answers! [...] Same goes for the TPS ones, and itl be handled.” 


The Commissioner sent a further email to HSSL on 2 March 2021 
advising that he would expect HSSL, as part of its due diligence, to 
possess evidence of the consent / ‘consent statements’ being relied 
upon for its direct marketing campaign. Furthermore, a contract, or 
purchase agreement regarding the acquisition of data should be 
provided as a matter of course. The Commissioner therefore requested 
evidence of the ‘consent statements’ themselves, and any formal 


agreements between HSSL and its third-party data provider. 


HSSL’s response later that day advised that it “/feels it] did due 
diligence by asking for confirmation from the company that all 
information was obtained correctly and followed all guidelines”. HSSL 
also explained that it reviewed the third-party data provider’s terms 
and conditions on its website which it stated included the “ICO logo”. 
HSSL said that it felt it could trust the company as a “GDPR regulated 
business”. As for any confirmation that the data was compliant, HSSL 
stated that it “took [the third-party data provider’s] word for this”. 


HSSL also reaffirmed that there were no contracts with its third-party 
data provider, and that it would just be invoiced for the data it 


purchased (although no copies of these invoices were provided). 


In response, the Commissioner advised HSSL on 3 March 2021 that it 
does not provide approval to any organisation for its business 
practices. The Commissioner advised HSSL that it should take steps to 


provide copies of the ‘consent statements’ which would have been 
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visible to individuals at the point when the third-party data provider 
obtained their data. 


HSSL responded to say that it was “unaware that [it] had to obtain 
confirmation of consent from every lead purchased from the company. 
[It does] not have this information and have never been given it by the 
[third-party data provider]. HSSL confirmed that it was “no longer 


purchasing data or contacting prospective clients”. 


The Commissioner sent an ‘end of investigation’ letter to HSSL on 3 
March 2021. 


The Commissioner served a further 3PIN on 8x8 on 28 April 2021 in an 
attempt to establish the volume of calls made by HSSL which were 
received by subscribers. The response received on 10 May 2021 
confirmed that a total of 344,099 connected outbound calls were made 
by HSSL between 3 March 2020 and 30 September 2020. 


The Commissioner conducted an independent screening of the CDRs 
provided by to discover that of the 344,099 outbound calls made 
within that period, 229,483 calls were made to numbers which had 
been registered with the TPS for not less than 28 days at the time they 


received the call. 


The Commissioner is satisfied that the 229,483 calls were all made for 


the purposes of direct marketing as defined by section 122(5) DPA18. 


The Commissioner has made the above findings of fact on the 


balance of probabilities. 
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The Commissioner has considered whether those facts constitute a 


contravention of regulation 21 of PECR by HSSL and, if so, whether the 


conditions of section 55A DPA are satisfied. 

The contravention 

The Commissioner finds that HSSL contravened regulation 21 of PECR. 
The Commissioner finds that the contravention was as follows: 


Between 3 March 2020 and 30 September 2020, HSSL used a public 
telecommunications service for the purposes of making 229,483 
unsolicited calls for direct marketing purposes to subscribers where the 
number allocated to the subscriber in respect of the called line was a 
number listed on the register of numbers kept by the Commissioner in 


accordance with regulation 26, contrary to regulation 21(1)(b) of PECR. 


The Commissioner is also satisfied for the purposes of regulation 21 
that these 229,483 unsolicited direct marketing calls were made to 
subscribers who had registered with the TPS at least 28 days prior to 
receiving the calls, and who for the purposes of regulation 21(4) had 


not notified HSSL that they did not object to receiving such calls. 


For such notification to be valid under regulation 21(4), the individual 
must have taken a clear and positive action to override their TPS 
registration and indicate their willingness to receive marketing calls 
from the company. The notification should reflect the individual’s 
choice about whether or not they are willing to receive marketing calls. 
Therefore, where signing up to use a product or service is conditional 


upon receiving marketing calls, companies will need to demonstrate 
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how this constitutes a clear and positive notification of the individual’s 


willingness to receive such calls. 


The notification must clearly indicate the individual’s willingness to 
receive marketing calls specifically. Companies cannot rely on 
individuals opting in to marketing communications generally, unless it 


is clear that this will include telephone calls. 


Further, the notification must demonstrate the individual’s willingness 
to receive marketing calls from that company specifically. Notifications 
will not be valid for the purposes of regulation 21(4) if individuals are 

asked to agree to receive marketing from “similar organisations”, 


“partners”, “selected third parties” or other similar generic descriptions. 


HSSL has failed to provide any evidence that the subscribers had not 
objected to its unsolicited direct marketing calls, which it made having 
purchased data from a third-party data provider following mere 
assurances of veracity. Furthermore, HSSL has failed to provide any 
satisfactory evidence of due diligence being conducted in respect of the 
data which it was choosing to purchase. There is no evidence at all 
before the Commissioner to demonstrate that the individuals who 
received these unsolicited direct marketing calls from HSSL had 
provided notification that they did not object to receiving such calls 
from it. HSSL also failed to conduct any checks of its own against the 


TPS register. 


The Commissioner has gone on to consider whether the conditions 


under section 55A DPA are met. 


Seriousness of the contravention 
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The Commissioner is satisfied that the contravention identified 

above was serious. This is because there have been multiple breaches 

of regulation 21 by HSSL arising from the organisation’s activities 

between 3 March 2020 and 30 September 2020, and this led to 

229,483 unsolicited direct marketing calls being made to subscribers 


who were registered with the TPS and who had not notified HSSL that 


they were willing to receive such calls. 


The individuals who received these calls had their data collected from 
unidentified sources, and sold on by a third-party data provider for use 
by HSSL. The Commissioner is satisfied that individuals receiving these 
calls, who themselves had no prior relationship with HSSL, could not 
reasonably have expected to receive calls from HSSL, and had indeed 
registered with the TPS with a view to eliminating the possibility of 


receiving such unsolicited calls. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A (1) DPA is met. 


Deliberate or negligent contraventions 


The Commissioner has considered whether the contravention identified 


above was deliberate. 


The Commissioner does not consider that in this instance that there is 
sufficient evidence to find that HSSL deliberately set out to contravene 
PECR. 


The Commissioner has gone on to consider whether the contravention 
identified above was negligent. This consideration comprises two 


elements: 


50. 


51, 


52; 


Information Commissioner's Office 


Firstly, he has considered whether HSSL knew or ought reasonably to 
have known that there was a risk that this contravention would occur. 
He is satisfied that this condition is met. HSSL purchased data from a 
third-party data provider which was ambiguous as to the source of the 
data being used, and dismissive of the potential intrusion on 
individuals’ privacy. HSSL should have been alerted by its third-party 
data provider’s cavalier attitude towards compliance and ought to have 
been suspicious about precisely where the data was being obtained 
from. Instead, it was content to purchase data which had been 
obtained from undisclosed sources, and relied on simple assurances 
that the data had been checked against the TPS register. 


The Commissioner has published detailed guidance for companies 
carrying out marketing explaining their legal requirements under PECR. 
This guidance explains the circumstances under which organisations 
are able to carry out marketing over the phone, by text, by email, by 
post or by fax. Specifically, it states that live calls must not be made to 
any subscriber registered with the TPS, unless the subscriber has 
specifically notified the company that they do not object to receiving 
such calls. In case organisations remain unclear on their obligations, 
the ICO operates a telephone helpline. ICO communications about 
previous enforcement action where businesses have not complied with 


PECR are also readily available. 


Standard practice of the TPS is to contact the organisation making the 
calls on each occasion a complaint is made. It is therefore reasonable 
to believe that HSSL would have received a notification from the TPS 
for each of the complaints being made in this case. The Commissioner 
was able to establish that there were a total of nine complaints made 


to the TPS alone over the period of the contravention; the notification 
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which HSSL would have received for these complaints, in the 


Commissioner’s submission, should have made HSSL aware of the risk 


that such contraventions may occur and were indeed occurring. 


It is therefore reasonable to suppose that HSSL should have been 


aware of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether HSSL 
failed to take reasonable steps to prevent the contravention. Again, he 


is satisfied that this condition is met. 


The Commissioner’s direct marketing guidance makes clear that 
organisations utilising marketing lists from a third party must 
undertake rigorous checks to satisfy themselves that the personal data 
was obtained fairly and lawfully, that their details would be passed 
along for direct marketing to the specifically named organisation in the 
case of live calls, and that they have the necessary notifications for the 
purposes of regulation 21(4). It is not acceptable to rely on assurances 
given by third party suppliers without undertaking proper due 
diligence. HSSL failed to carry out anything approaching satisfactory 
due diligence, and was instead content to rely on assurances by a 
third-party data provider. HSSL says that it was reassured by the 
presence of an ‘ICO logo’ on the third-party data provider’s website, 
but conducted no independent checks with the ICO to check the 
validity of this; if it had done so the Commissioner would have been 
able to advise HSSL that it does not endorse particular organisations. 
Furthermore, HSSL does not know (and took no substantive steps to 
establish) the original source of the data which it purchased, and failed 
to conduct its own TPS checks (which it would be recommended to 
have done despite any assurances provided by its third-party data 


provider). 
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The Commissioner guidance also advises that, in terms of the expected 
due diligence when purchasing data, a reputable list broker should be 
able to demonstrate that the marketing list being sold is reliable, by 
explaining how it was compiled and providing full details of what 
individuals were told at the point when their details were taken. If the 
seller cannot provide this information, a buyer should not use the list. 
It would be prudent for a buyer to have a written contract in place 
confirming the reliability of the list, as well as making its own checks. 
HSSL failed to ensure that a contract, or indeed any formal 
arrangement, was in place with its third-party data provider, and failed 


to carry out its own checks. 


Given the volume of calls, it is clear that HSSL failed to take these, or 


indeed any, reasonable steps. 


The Commissioner is therefore satisfied that condition (b) from section 
55A (1) DPA is met. 


The Commissioner's decision to issue a monetary penalty 


The Commissioner has taken into account the following aggravating 


features of this case: 


The Commissioner is concerned by the ‘pressured sales’ tactics and 
apparent mis-selling of products and services which subscribers had 


clearly not anticipated receiving. 


HSSL acted in contravention of PECR to generate cashflow and profit, 
gaining an unfair advantage on those organisations which complied with 


the legislation. 
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HSSL were quoted a price by its third-party data provider for data 
relating to individuals that were aged 60+; this criteria appears to have 
been specified by HSSL. The Commissioner is worried that this 


demonstrates the deliberate targeting of a potentially vulnerable portion 


of society. 


The Commissioner does not consider that there are any mitigating 


features in this case. 


For the reasons explained above, the Commissioner is satisfied that the 
conditions from section 55A (1) DPA have been met in this case. He is 
also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent, in which the 
Commissioner set out his preliminary thinking. HSSL did not provide 


any representations in response to the Notice of Intent. 


The Commissioner is accordingly entitled to issue a monetary penalty 


in this case. 


The Commissioner has considered whether, in the circumstances, he 


should exercise his discretion so as to issue a monetary penalty. 


The Commissioner has considered the likely impact of a monetary 
penalty on HSSL. HSSL was invited to provide financial representations 
in response to the Notice of Intent, but failed to do so. The 
Commissioner has decided on the information that is available to him, 
that a penalty remains the appropriate course of action in the 


circumstances of this case. 
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The Commissioner’s underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The making of 
unsolicited direct marketing calls is a matter of significant public 
concern. A monetary penalty in this case should act as a general 
encouragement towards compliance with the law, or at least as a 
deterrent against non-compliance, on the part of all persons running 
businesses currently engaging in these practices. This is an opportunity 
to reinforce the need for businesses to ensure that they are only 
telephoning consumers who are not registered with the TPS and/or 


specifically indicate that they do not object to receiving these calls. 


For these reasons, the Commissioner has decided to issue a monetary 


penalty in this case. 


The amount of the penalty 


Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £100,000 (one hundred thousand 
pounds) is reasonable and proportionate given the particular facts of 


the case and the underlying objective in imposing the penalty. 
Conclusion 


The monetary penalty must be paid to the Commissioner’s office by 
BACS transfer or cheque by 14 April 2022 at the latest. The monetary 
penalty is not kept by the Commissioner but will be paid into the 
Consolidated Fund which is the Government’s general bank account at 
the Bank of England. 


If the Commissioner receives full payment of the monetary penalty by 


13 April 2022 the Commissioner will reduce the monetary penalty by 
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20% to £80,000 (eighty thousand pounds). However, you should 


be aware that the early payment discount is not available if you decide 


to exercise your right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


(a) the imposition of the monetary penalty 
and/or; 
(b) the amount of the penalty specified in the monetary penalty 


notice. 


Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 
Information about appeals is set out in Annex 1. 


The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the monetary 


penalty has not been paid; 


e all relevant appeals against the monetary penalty notice and any 


variation of it have either been decided or withdrawn; and 


e the period for appealing against the monetary penalty and any 


variation of it has expired. 


In England, Wales and Northern Ireland, the monetary penalty is 


recoverable by Order of the County Court or the High Court. In 
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Scotland, the monetary penalty can be enforced in the same manner as 
an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 


Dated the 14t" day of March 2022. 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


ive Section 55B(5) of the Data Protection Act 1998 gives any person 
upon whom a monetary penalty notice has been served a right of 
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) 


against the notice. 
2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of 
discretion by the Commissioner, that he ought to have exercised 


his discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3; You may bring an appeal by serving a notice of appeal on the 


Tribunal at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LE1 8DJ 
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Telephone: 0203 936 8963 
Email: grc@justice.gov.uk 


a) The notice of appeal should be sent so it is received by the 


Tribunal within 28 days of the date of the notice. 

b) If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 
rule. 


The notice of appeal should state: - 


a) your name and address/name and address of your 


representative (if any); 


b) an address where documents may be sent or delivered to 


you, 

c) the name and address of the Information Commissioner; 
d) details of the decision to which the proceedings relate; 
e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the 


monetary penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the 


notice of appeal must include a request for an extension of time 
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and the reason why the notice of appeal was not provided in 


time. 


5; Before deciding whether or not to appeal you may wish to consult 
your solicitor or another adviser. At the hearing of an appeal a party 
may conduct his case himself or may be represented by any person 


whom he may appoint for that purpose. 


6. The statutory provisions concerning appeals to the First-tier 
Tribunal (Information Rights) are contained in section 55B(5) of, and 
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure 
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009 
(Statutory Instrument 2009 No. 1976 (L.20)). 
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